topic Re: FWSM InterContext Connection in Network Security

FWSM InterContext Connection

griever060684 — Mon, 11 Mar 2019 13:56:20 GMT

Hi Guys,

It is my first time to inquire on the Cisco NetPro Forums.

ïŠ

I am currently having a problem with one of my set-up in our production environment. Let me first start by describing the set-up of the network infrastructure. I have a two context firewall deployed on our Edge Router Cisco 7609. One context is deployed to cater the DMZ requirement of our network and the other context is allocated to filter incoming traffic from the internet. (Please see attached Powerpoint Document)

A server from the DMZ needs to be accessed from the internet and vice versa. The local address of this server is being translated into a public IP on the firewall context that is catered to filter WWW traffic (WWW Firewall Context).

Problem is that I am unable to successfully connect to the internet using this set-up. I have checked the routing and have verified that I have a complete path going to the vlan interface of WWWFirewall Context. However I am not able to see any traffic hitting my WWWFirewall Context coming from my local address (10.10.10.10).

Re: FWSM InterContext Connection

Farrukh Haroon — Sat, 11 Oct 2008 10:17:45 GMT

Is there a route on the WWW FW Context and the MSFC for the 10.10.10.10 host?

Can you ping 10.10.10.10 from the WWW FW Context?

Regards

Farrukh

Re: FWSM InterContext Connection

Marwan ALshawi — Sat, 11 Oct 2008 13:45:33 GMT

first u need to have a permite ACL becuase fwsm deny all traffic on all interfaces by defualt

then u need static route on wwwFW to the 10.10.10.10 through MSFC

ip route vlan200 10.10.10.10 255.255.255.255 10.10.2.50

on the dmz firewall u need to have the permit ACL on both interfaces as well as mentioned Above fwsm deny all bydefault

the u need route like

ip route vlan220 0.0.0.0 0.0.0.0 10.10.2.49

on MSFC

ip route 0.0.0.0 0.0.0.0 10.10.2.43

good luck

Re: FWSM InterContext Connection

griever060684 — Sun, 12 Oct 2008 02:42:32 GMT

Hi,

Yes I can reach the server 10.10.10.10 from the WWWFW context. I can also ping the FW contex from the 10.10.10.10 host.

I believe that the routing is not an issue anymore since I have set the default routes on th DMZFW context pointing to the MFSC, and the MSFC by default is routing going to the WWWFW Context.

From the WWWFW context, I have 10.10.10.0/24 route pointing to the MSFC (10.10.2.33) and an entry in the MSFC for pointing 10.10.10.0/24 to the DMZFW context.

Might there be an issue on my natting on the WWWFW Context? Because right now, I am mapping 10.10.10.10 to 200.200.30.5. exact entry is

static (VLAN200,VLAN1888) 200.200.30.5 10.10.10.10 netmask 255.255.255.255

Re: FWSM InterContext Connection

griever060684 — Sun, 12 Oct 2008 02:44:48 GMT

Hi,

I already have the default route and access list on both context set to allow the traffic from 10.10.10.10 host to the internet. The routing on the MSFC was also set. I am not sure but I think I am having problem with the translation of the local IP into the global IP.

Re: FWSM InterContext Connection

Marwan ALshawi — Sun, 12 Oct 2008 02:45:43 GMT

can please, confirm that you have the proper permit ACL on both direction i mean in each context u need to have a permit on the inside and outside for the required traffic !!!

Re: FWSM InterContext Connection

griever060684 — Sun, 12 Oct 2008 03:06:50 GMT

Hi Marwanshawi,

Yes I have already placed an acl on both the inbound and outbound direction. I hawever am not getting any hits on the firewall that would translate my local IP to a public IP.

Re: FWSM InterContext Connection

Marwan ALshawi — Sun, 12 Oct 2008 03:08:33 GMT

ok now after u made sure the nating, routing and ACLs configured corectly

RELOAD the FWSM

then try to check out the nating after that

good luck

Re: FWSM InterContext Connection

Farrukh Haroon — Sun, 12 Oct 2008 04:55:17 GMT

You can verify the NAT/connnections by

show conn det | inc 10.10.10.10

show xlate det | inc 10.10.10.10

The only thing having a higher preference than a static would be a nat (x) 0 ACL, incase you have one those on any context?

Regards

Farrukh

Re: FWSM InterContext Connection

griever060684 — Sun, 12 Oct 2008 08:45:35 GMT

Thanks, I'll look into that during the troubleshooting window. Another question, since the static translation I configured on my firewall applies to vlan200 going to vlan1888, do I still need to configure another static translation this time for the interface vlan1888 going to int vlan200?

Re: FWSM InterContext Connection

Marwan ALshawi — Sun, 12 Oct 2008 08:50:14 GMT

u dont need to make the translation twice

once the destination translated to 10.10.10.10

then it will be sent internally to that address when get back to the outside will be retrnaslted to the outside address

good luck

Re: FWSM InterContext Connection

Farrukh Haroon — Sun, 12 Oct 2008 09:45:40 GMT

Yes as Marwan said, static translations are bi-directional. so no need for two statements, in fact the second statement would mean something totally opposite. Similarly "nat (intf) 0 access-list ... " is also bi-directional (NAT exemption).

Regular Dynamic NAT [Nat/Global] and Identity NAT [nat (intf)0 ip mask] are uni-directional only tough.

Regards

Farrukh

Re: FWSM InterContext Connection

griever060684 — Mon, 13 Oct 2008 05:34:37 GMT

hi guys thank you for your help. The issue was already resolved. We just had a problem with the natting of the IP. thanks!